[Federal Register Volume 74, Number 199 (Friday, October 16, 2009)]
[Notices]
[Pages 53286-53288]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-24968]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Federal Emergency Management Agency
[Docket ID FEMA-2008-0017]
Voluntary Private Sector Accreditation and Certification
Preparedness Program
AGENCY: Federal Emergency Management Agency, DHS.
ACTION: Notice of availability; request for comments.
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security (DHS) announces its intent
to select standards for adoption in the Voluntary Private Sector
Accreditation and Certification Preparedness Program (``PS-Prep'').
This notice (1) finalizes the criteria to be used in selecting
standards for the PS-Prep Program; (2) discusses the prospective
adoption of the three identified standards, including (a) the approach
for collaboration with the Critical Infrastructure and Key Resources
(CIKR) sectors and (b) considerations for small business in the
adoption of the three identified standards; and (3) poses specific
questions for which comment is sought. Although DHS intends to select
only the three identified preparedness standards at this time, DHS may
select additional standards in the future.
Instructions: DHS will accept comments on PS-Prep and these
standards at any time, and comments will be considered as they are
received. Within 30 days after publication of this notice, DHS requests
comments regarding the adoption of the standard selections or any other
similar standard that satisfies the Target Criteria presented in the
December 24, 2008 notice (73 FR 79140). Those interested may submit
comments, identified by Docket ID FEMA-2008-0017, by one of the
following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments. (Note: This process
applies to all government requests for comments--even though as in the
case of PS-Prep, they may not be for regulatory purposes.)
E-mail: [email protected]. Include Docket ID FEMA-2008-
0017 in the subject line of the message.
Fax: 703-483-2999.
Mail/Hand Delivery/Courier: Office of Chief Counsel,
Federal Emergency Management Agency, 500 C Street, SW., Room 840,
Washington, DC 20472-3100.
All submissions received must include the agency name and Docket ID
FEMA-2008-0017. All submissions will be posted, without change, to the
Federal eRulemaking Portal at http://www.regulations.gov, and will
include any personal information you provide. Because comments are made
available to the public, submitters should take caution to not include
any sensitive, personal information, trade secret, or any commercial or
financial information which is obtained from any person and which is
deemed privileged or confidential. Submitters may wish to read the
Privacy Act Notice available on the Privacy and Use Notice link on the
Administration Navigation Bar of http://www.regulations.gov.
Docket: For access to the docket to read background documents or
comments received, go to the Federal eRulemaking Portal at http://www.regulations.gov. Submitted comments may also be inspected at FEMA,
Office of Chief Counsel, 500 C Street, SW., Room 840, Washington, DC
20472.
Availability of the Identified Standards: The three identified
standards are available in two ways in
[[Page 53287]]
addition to being available on the individual Web sites of the three
respective standards development organizations (SDOs).
1. FEMA will maintain copies of the standards proposed under this
notice and make them available upon request for viewing in person at
FEMA's reading room, located at 500 C Street SW., Room 835, Washington,
DC 20472. Due to licensing and copyright restrictions, however, these
documents will be available for review only, not for copying.
2. FEMA's PS-Prep Web site, http://www.fema.gov/privatesector/preparedness, contains links to the Web sites for each of the three
SDOs. Each of these SDOs is making its standards available through this
link for inspection, downloading, and printing, especially for the PS-
Prep Program. Through the above link, the National Fire Protection
Association and the American Society for Industrial Security have made
NFPA 1600 and ASIS SPC 1-2009, respectively, available at no cost. Also
through this link, the British Standards Institution has made the U.S.
editions of BS25999-1 and BS25999-2 available for a reduced fee of
$19.99 each. At DHS's request, the British Standards Institution
reduced its regular fee for BS25999-1 from $132.00 to $19.99, and its
regular fee for BS25999-2 from $152.00 to $19.99, for the comment
period.
FOR FURTHER INFORMATION CONTACT: Mr. Donald Grant, Incident Management
Systems Integration Division, National Preparedness Directorate,
National Integration Center, 500 C Street, SW., Washington, DC 20472.
Phone: 202-646-3850 or e-mail: [email protected].
SUPPLEMENTARY INFORMATION:
I. Background
In the ``Implementing Recommendations of the 9/11 Commission Act of
2007'' (Pub. L. 110-53), Congress mandated DHS to establish a voluntary
private sector preparedness accreditation and certification program.
This program, now known as ``PS-Prep,'' will assess whether a private
sector entity complies with one or more voluntary preparedness
standards adopted by DHS, through a system of accreditation and
certification developed by DHS in close coordination with the private
sector.
DHS published a notice in the Federal Register on December 24,
2008, requesting comment on a voluntary private sector preparedness
accreditation and certification program (``PS-Prep''), target criteria
for voluntary preparedness standards under the program, and
recommendations for standards. See 73 FR 79140. DHS also held two
public meetings, on January 13 and February 23, 2009, and had other
interaction with stakeholders, to obtain comments on standards that DHS
should approve under PS-Prep. DHS has considered the information
gathered through these channels in the identification of the three
standards discussed in this notice and further development of the PS-
Prep Program.
II. Elements Considered in the Evaluation of Standards for Selection
On December 24, 2008, DHS published and sought public comment on
its proposed target criteria for preparedness standards. Upon review of
comments, DHS has determined the target criteria are appropriate,
valid, and consistent with the DHS mission and the goals of PS-Prep
Program. DHS, therefore, will adopt standards based on the target
criteria as previously listed.
III. Intent To Adopt Three Initial Standards for the PS-Prep Program
Based on public comments, the suitability of standards considered
to accomplish the purposes of the PS-Prep Program, and coverage of the
target criteria, DHS intends to adopt the following three standards.
Although the focus of each standard may be slightly different, each
meets the spirit and intent of Public Law 110-53, which defines
``voluntary preparedness standards'' as a ``* * * common set of
criteria for preparedness, disaster management, emergency management,
and business continuity programs. * * *'' These standards were chosen
because, among other things, they meet the target criteria and are not
industry specific.
1. NFPA 1600--Standard on Disaster/Emergency Management and
Business Continuity Programs, 2007 Edition. This standard establishes a
common set of criteria for preparedness, disaster management, emergency
management, and business continuity. NFPA 1600 specifies the management
and essential elements of a preparedness program for disaster
management, emergency management, and business continuity. The
particular strength of this standard is that it focuses on planning and
preparation in anticipation of a disaster and does not prescribe a
program development process.
2. BS25999--Business Continuity Management. This standard defines
requirements for a management systems approach to business continuity,
and integrates risk management disciplines and processes. BS25999 is
comprised of two parts: Part 1 dated 2006; Code of Practice, and Part 2
dated 2007; Specification. The particular strength of this standard is
that it specifically provides a management systems approach to business
continuity and also integrates risk management disciplines and
processes. The standard also provides the user the basis for
understanding and implementing in business-to-business and business-to-
customer dealings to reassure business resilience.
3. ASIS SPC. 1-2009--Organizational Resilience: Security
Preparedness, and Continuity Management Systems--Requirements with
Guidance for Use. This standard was released in 2009 and defines
requirements for a management systems approach to organizational
resilience. The particular strength of this standard is that it applies
a management systems approach to organizational resilience. The
standard encompasses an assortment of risk management mechanisms and
follows a plan-do-check-act approach associated with other
International Standard Organization management system based standards.
IV. Adoption of Initial Standards in the PS-Prep Program
DHS, after considering the public comments received on this notice,
will publish a notice in the Federal Register to announce the standards
that DHS will adopt. DHS may adopt any or all of the three standards
identified above.
V. Critical Infrastructure and Key Resources (CIKR) Sector Specific
Issues
Following adoption of the initial standards, DHS will collaborate
with the CIKR sectors and their respective Sector Coordinating Councils
to identify the regulations, guidelines, sector codes of practice, and
best practices of the sector that may affect implementation of the
adopted standards.
The DHS Office of Infrastructure Protection will then work with
individual CIKR sectors to develop a framework in which the identified
sector specific considerations can be built into the application of the
adopted standards to individual sectors. Any such framework could be
used both by an entity seeking certification of conformity to a
standard and by the certifying body.
VI. Small Business Consideration
Title IX of Public Law 110-53 recognized that small businesses need
to be treated differently in the PS-Prep Program, and requires DHS to
give special consideration to small business
[[Page 53288]]
concerns (as defined by Section 3 of the Small Business Act (15 U.S.C.
632)). The December 24, 2008 Federal Register notice contained an
extensive discussion of DHS' approaches to best reflect the interests
of small businesses and the purpose of the PS-Prep Program. DHS
continues to seek comments from small businesses and others on the
adoption of these standards and their impact on future decisions to
seek certification under the PS-Prep Program.
VII. Questions for Which Comment or Recommendations Are Specifically
Sought
The Department requests comments, suggestions, or other advice
regarding the PS-Prep Program, including but not limited to responses
to the following questions:
1. Are there reasons that DHS should not adopt any one of the three
standards listed above?
2. Are there any supporting guidance materials in addition to the
three identified standards that are needed to help the private sector
attain certification to one of the three standards?
3. What factors would a business consider in determining which DHS
adopted standard(s) to pursue for certification under the PS-Prep
Program?
4. What are the reasons for businesses to seek certification under
these identified standards?
5. How would the fact that an organization is certified under the
PS-Prep Program affect or otherwise influence your decision to do
business with them?
6. In response to the December 2008 Federal Register notice, DHS
received numerous comments promoting the use of a ``maturity model
process improvement approach'' for business preparedness and
continuity. The maturity model was described as an approach whereby
certifications on certain standards could be incremental, i.e., grading
on a scale of conformance, rather than a conformance/non-conformance
basis. The notice noted that certifications will determine conformity
or non-conformity with a particular standard. How could the use of a
maturity model approach be applied to certification to any of these
standards?
7. What may be the potential impact (e.g., cost, return on
investment, other considerations, etc.) on small businesses when
attempting to implement any of the above identified standards?
W. Craig Fugate,
Administrator, Federal Emergency Management Agency.
[FR Doc. E9-24968 Filed 10-15-09; 8:45 am]
BILLING CODE 9111-46-P